Threat intelligence is now a staple for information security teams looking to be proactive. The best threat intelligence greatly improves the organization’s ability to quickly and effectively address known threats and malicious sites in near real time. Integrating highly dynamic, cutting edge intelligence on phishing, malware, and known malicious sites using SURBL is an elegant and effective means to deploy this intelligence across your organization. The DNS platform becomes a critical control point to deploy and enable this intelligence for all users, protocols, and applications across your network.
SURBL data feeds deliver this intelligence with high effectiveness, accuracy and performance through fast updates and resulting fresh data. The SURBL team is composed of highly experienced security research experts, positioned across the globe. SURBL has been gathering data for over 11 years and provides unparalleled visibility to malicious activities on a global scale – threat intelligence that is critical addition to your defenses. What makes SURBL different is the sophisticated processes used to develop this intelligence, the extensive visibility and comprehensive nature of how SURBL gathers such data and make it easily available and accessible to everyone. SURBL data is used by leading organizations across the globe.
The next part of this blog addresses the key question:
What goes into the complex process of developing SURBL actionable intelligence to make it trustworthy, actionable, and indispensably valuable for customers of Infoblox ActiveTrust® products and services.
An Overview of SURBL
- SURBL is a trusted member of the Internet ecosystem. With security researchers and coverage globally, SURBL has been producing domain intelligence for 11+ years. Beginning as a core component of SpamAssassin, and continuing to extend its reach and visibility, SURBL delivers unparalleled insight into malicious domain activity.
- SURBL visibility includes direct, trusted relationships with technology, security, and messaging providers on all continents, including direct relationships with the industry’s leading registries and registrars.
- SURBL’s expertise lies in domain intelligence and is its core competency. The team of researchers and data scientists analyzes, distills, and processes the vast intel on malware, phishing, and URL activity globally…and ultimately delivers truly exceptional, usable data feeds on malicious domain activity.
- As a result of this extensive visibility—and years of expertise and trusted position within the Internet ecosystem—SURBL is able to provide this very high level of insight and threat intel to improve the accuracy of your defenses.
- SURBL is well known for fast, dynamic, accurate intel on advanced phishing and malware data sources.
There are three critical aspects of generating trustworthy, actionable, and indispensably valuable threat Intelligence – how SURBL creates the intelligence, data on how we keep the information current and finally how we ensure accuracy and usability of the data.
1. How SURBL Creates High-quality Intel
SURBL creates high-quality intelligence by acquiring, analyzing, and distilling malware URLs from many sources. The multitude of data sources ensure that the data is comprehensive and has been highly screened for false positives. The sources include:
- Malware files are acquired in multiple ways, and fed directly into SURBL’s malware processing system.
- Near real-time processing of executable malware files provides for increased infrastructure protection to SURBL customers using its Multi or RPZ malware zones.
- Malware URL, malware hosts
- Thwarting of malware via obstruction of its command-and-control (C&C) communications
- C&C entries
- Exploit kits (EK)
- Monitoring of multiple malware families
- Real-time detection and listing
- Near real-time processing of executable malware files, providing for increased infrastructure protection to SURBL customers using its RPZ malware zones
- Partner malware feeds
- Immediate malware URLS processing
- Differentiated processing based upon the risk score from the sandbox
- Filtering of embedded URLs collected to remove benign retrievals
- Malware processing cycles every minute
- Numerous proprietary and cutting-edge techniques, which have been developed and tested internally, to enable what is considered by many to be the best domain intelligence available
2. Some statistics to quantify accuracy and currency of the intelligence
SURBL produces several rich and accurate data feeds, including Multi and Fresh.
Multi contains approximately 800k – 1.5m “current, active” bad domains and updates continuously every 1 – 2 minutes, delivering cutting-edge near real time intel.
- Fast, accurate, up-to-date intel on phishing and malicious domains
- High accuracy with near-zero false positives
Fresh intel on new domains delivers information on the exact age of new domains. Most new domains are malicious—and this intel enables actionable and effective policy decisions (block, warning, nxdomain, etc.).
- Tells the exact hour domain was created
- Can accurately block access to domains less than x hours old
3. Ensure Accuracy and Usability
The focus is on actionable intelligence, delivered with near-zero false positives, which can be deployed and used to block malicious activity in near real time.
- SURBL obsesses on accuracy—and in all cases errs on the side of caution.
- SURBL understands that accuracy is paramount, and ensures the data delivered contains usable, actionable data…not just noise and false alarms.
- SURBL invests a great amount of resources and commitment to a policy in which accuracy of the data is paramount. The accuracy has been demonstrated and supported in numerous trials, and by the current users and partners of SURBL.
If you are not convinced, we encourage real-time tests in your environment—so you can test drive and see the results. You can contact Infoblox to trial their products which include SURBL threat intelligence. You can do that by visiting the ActiveTrust and ActiveTrust Cloud Eval pages. To use SURBL threat intelligence for each, make sure to evaluate plus or advanced for ActiveTrust & plus for ActiveTrust Cloud.